Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Just sanitize your DB entries and you'll be ok. Rails does that by default now. You just have to use the framework correctly. Check this out for more informations: <a href="http://wiki.rubyonrails.org/howtos/security/sql_injection" rel="nofollow noreferrer">http://wiki.rubyonrails.org/howtos/security/sql_injection</a></p> <p>DO THIS:</p> <pre><code>Project.find(:all, :conditions =&gt; ["name = ?", params[:name]]) # or Project.find(:all, :conditions =&gt; {:name =&gt; params[:name]}) </code></pre> <p>NOT THIS:</p> <pre><code>Project.find(:all, :conditions =&gt; "name = '#{params[:name]}'") </code></pre> <p>You also have to prevent XSS attacks by going</p> <pre><code>&lt;%=h possible_harmful_text %&gt; </code></pre> <p>For reference:</p> <blockquote> <p>Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss. (<a href="http://en.wikipedia.org/wiki/Cross-site_scripting" rel="nofollow noreferrer">via wikipedia</a>)</p> </blockquote> <p>and of course</p> <blockquote> <p>SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.<a href="http://en.wikipedia.org/wiki/Cross-site_scripting" rel="nofollow noreferrer">1</a> (<a href="http://en.wikipedia.org/wiki/SQL_injection" rel="nofollow noreferrer">via wikipedia</a>)</p> </blockquote>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload